By Thomas Steffens, TÜV Rheinland Industrie Service GmbH
Many industries have championed significant developments in drive applications in the past decade. As a result, they’ve been creating a new generation of applications and integration efforts generally referred to as safety-related applications.
This article outlines the general requirements regarding drives, particularly the EN 61800-5-2 standard, and discusses the implications for the new European Machinery Directive 2006/42/EC.
Drives With Integrated Safety Functions
According to the harmonized safety standards of the European Machinery Directive, the complete safety loop has to be considered in machinery’s safety function application. The safety loop implies that all parts in the application are responsible for the safety function. Typically, a safety loop consists of a sensor, logic and actuator. In one example, a light curtain could function as the sensor, a safe PLC as the logic, and a drive with integrated safety as the final element.
In general, a common safety function of drives is to stop a hazardous movement and/or to prevent an unexpected restart. The sensor, logic and actuator/final element work together in the safety function to prevent a hazardous movement.
A traditional design depends on external electromechanical components to interrupt the electrical power to the drive/motor. However, drives that include certified, integrated safety functions are starting to take advantage of controls to initiate full stops in the safety loop. This "electronic shutdown" of the drives/motors naturally provides various advantages in areas such as response times, reduced mechanical wear and tear, and component size. In most cases, this results in improved effectiveness and cost reduction.
The Applicable Standard
EN 61800-5-2 (adjustable speed electrical power drive systems) is the most applicable harmonized product standard for drives. Within this standard, the most basic safety function is the Safe Torque Off (STO).
Typically, to achieve STO, the final drive pulse-width-modulation (PWM) signals must be safely disconnected from the final switching transistors to prevent the motor from producing any further torque. This often is referred to as "safe state." The torque is removed, but, in some cases, the motor still could be turning due to its free inertia. Therefore, additional measures—brakes, for example—are necessary to prevent further motion.
All other safety functions described in the EN 61800-5-2 standard, such as Safe Stop 1 (SS1) and Safely Limited Speed (SLS), usually include the STO function as part of the safe state. The standard also requires that if any dangerous faults occur in the safety-related circuits, then the output should go into safe state. The safe state must be defined clearly, and the final version would therefore be STO. This sometimes is referred to as the fault reaction of a safety function.
These safety functions could be a part of the drive firmware, but in general the integrated safety is independent of the drive firmware. Most manufacturers realize integrated safety with a safety module. This safety module is responsible for the monitoring functions for safe motion, safe torque, etc. The STO function is realized by discrete hardware, and is an integral part of the standard drives. The safety module uses this STO safety circuit to switch off the drive.
The EN 61800-5-2 standard also defines requirements for safety-related monitor functions, including speed limit and position. Today, most manufacturers that supply drives are encouraged to comply with the EN 61800-5-2 standard, and to offer STO as the primary basic safety function. This safety function usually is realized by low-complexity discrete hardware—without the involvement of software. The drive’s main controller, if necessary, could solely provide additional diagnosis for this hardware. Let’s review the safety functions more closely.
Safe Torque Off (STO)
STO has one primary attribute as a safety function. When STO is activated, the drive does not provide any further torque to the machine/motor. If external forces to the load are expected, additional measures must be taken to prevent any further hazardous movement.
Safe Operating Stop (SOS)
Another integrated safety-related function is the Safe Operating Stop (SOS), which is required to monitor a specified position range during standstill. In the event of a fault within the SOS, STO and brake function are activated to maintain safe state. The STO part here is referred to as the "fault reaction" of the SOS function. Hence, the STO is a prerequisite.
STO should be designed for the highest Safety Integrity Level (SIL), SIL 3, according to EN 62061/EN 61800-5-2, and for Performance Level e (PL e), according to EN ISO 13849-1. The STO function is required to achieve the final safe state in case of safety-related faults. Also, the other safe-stop functions and safety-related monitoring functions are based on the STO function, and therefore are dependent on the safety integrity of the STO function. The STO function could be described as the bottleneck of the safety loop. For most of the application where safety-related monitor functions are used, SIL 2/ PL d could be sufficient.
Other important safety functions are SS1 and SS2, and the standard defines three different ways to achieve them. The most popular or simplified requirement is based on a fixed or predefined time delay after which the STO or SOS is activated. The time-dependent course for this is depicted in the figures below.
For SS1, after the time is expired, only the torque to the machine/motor will be removed (STO function). In this state, there still could be motor rotation. Whether this is allowed is dependent on the application. For SS2, after the time is expired, the position of machine/motor will me monitored and no rotation outside of the defined range is allowed.
To realize the safety-related monitoring function with relation to speed and position values, the encoder must be considered to provide the independent actual speed or position information. The encoder therefore must fulfill the same SIL and/or Performance Level as the safety-related monitoring function, and also must remain part of the safety loop. As a result, an increasing number of encoder manufacturers now consider certification ranging from SIL 2 to SIL 3.
EN 61800-5-2 further lists various functions as "designated safety functions." Typically, these often-used safety-related monitoring functions include Safely Limited Speed (SLS).
As a safety function, the SLS characteristic keeps the drive/speed from exceeding the pre-defined speed. Typically, this would be done by an integrated safety-related monitoring function in combination with an encoder or similar devices. The external safety-related monitoring unit ensures the correct safe speed (SLS value) is not exceeded. To complete the SLS function, the encoder operates independently and in actual speed to send feedback to the integrated safety-related monitoring function. When combined, these two major components—safety-related monitoring unit and the encoder—would be safety-relevant.
In the event of a fault or a demand, the STO or SOS would be executed to ensure safe state (as a fault reaction or a result of a demand).
The product standard EN 61800-5-2 covers the most common safety-related drive functions, including, among others:
- Safely Limited Position (SLP)
- Safely Limited Increment (SLI)
- Safe Direction (SDI)
- Safe Brake Control (SBC)
- Safe Speed Monitoring (SSM)
Also, to ensure conformity to the new Machinery Directive, consideration of the harmonized application-related standards for machinery—namely, EN ISO 13849-1 and/or EN 62061 and also EN 60204-1 and other similar standards—is required.
Within EN 61800-5-2, there are other considerations for organizational measures, such as fault avoidance and fault control/diagnostic requirements, that also are necessary as part of proof to demonstrate achievement of required systematic integrity. For this, the EN 61800-5-2 standard defines the general requirements for the Management of Functional Safety, the Functional Safety Assessment, as well as the documentation regarding the product’s complete life-cycle phases of development.
Any overlooked or undetected "failures" during the development phase could result in costly modifications, and could delay time to market. Hence, detailed documentation for each development phase is required to achieve the reproducibility of the complete development process. Measures for fault avoidance must be applied for each development phase to avoid systematic failures during product development. These applied measures depend on the targeted SIL.
In addition, EN 61800-5-2 requires determining the probability of a dangerous random failure per hour (PFH). The required PFH value depends on the target SIL, which refers to a complete safety function. Because the drive with the integrated safety function is only one part of the safety loop, the PFH must be sufficiently lower than the value defined by the SIL.
The PFH depends mainly on:
- The chosen architecture
- Estimated failure rate
- Susceptibility to common cause failures
- Diagnostic coverage of the implemented diagnostic tests
- Intervals at which proof tests are undertaken to reveal dangerous faults that were undetected by internal diagnostic tests.
Another recommendation is to consider a minimal mission time of 20 years to avoid further proof tests because they might be difficult to control or rely heavily on end users.
Furthermore, devices with safety-related functions must be tested with increased EMC immunity levels, depending on the intended application, according to EN 61800-5-2.
For applications that must comply with the Machinery Directive, at a minimum, the increased levels according to EN 62061 Annex E must be applied.
The Directives for Drives
The new Machinery Directive must be applied for drives with integrated safety functions that will be used or integrated in machinery safety.
Apart from those standards already mentioned, other standards that must be applied include the harmonized standards, according to the Low Voltage Directive 2006/95/EC and the EMC Directive 2004/108/EC.
Declaration of Conformity
The new Machinery Directive’s Annex IV lists products with increased safety responsibility. These products carry an increased risk of danger to a person or the environment in the event of a failure. For this reason, industries must apply increased requirements for the conformity-assessment procedure. The new Machinery Directive provides different approaches for the declaration of conformity, depending on the existence of appropriate harmonized standards.
Nevertheless, the possibility or risk of misinterpreting the requirements is always present for those individuals less experienced in safety. This can lead to high costs for the final user if the integrated safety device fails to signify danger and/or the production is interrupted. Besides the damage to the safety device manufacturer’s reputation, juridical consequences also could arise.
Because of the consequences of failure, the market’s acceptance of self-declaration is low. Most manufacturers decide to involve a notified body to perform a European Commission (EC)-type examination for them. Third-party approvals provide a comprehensive quality assurance and a proof of safety and suitability for operators, supervisors and licensing authorities.
To perform the required examination, the approach should involve a three-phase procedure comprised of a concept review, a main assessment (testing and examinations), a final report, and issuance of an EC-type examination certificate.
The concept review, performed during the product’s development phase, assesses the product’s performance and the equipment requirements. The concept review also identifies any inherent deficiencies. During the concept phase, the notified body should also provide extensive support to clarify the Machinery Directive’s requirements.
The main assessment includes theoretical and practical verification testing as required evidence of relevant data for proof of compliance. This assessment includes:
- Verification of the safety integrity (fault control)
- Consideration of quality assurance to achieve systematic integrity (fault avoidance)
- Calculation of the probability for failures
- Performance of Failure Mode and Effect Analysis (FMEA)
- Inspection of software, if applicable
- Performance of environmental test results, including EMC
- Review of technical files and user documentation.
Upon successful assessment, an EC-type examination certificate is issued. A final report confirms the safety integrity of the drive’s safety functions. A certified drive benefits the end user because it allows integration into the end user’s system or machinery to complete the total safety loop. The final report contains extensive details, including the relevant safety parameters used for the calculations of the final safety loop. The machine/system builder will require the certificate and the report as proof of functional safety, as required by Machinery Directive 2006/42/EC.
Certification further ensures that all applicable and fundamental safety and health requirements are fulfilled. Based on this, conformity to the Machinery Directive can be declared.
Involvement of an independent test institute as an advisor for functional safety will help to save valuable time during the development and avoid expensive deviation in the early phases of the development.
Thomas Steffens is product manager of electro-sensitive protective equipment and safety-related drive systems at TÜV Rheinland Industrie Service GmbH, located at the company’s global headquarters in Cologne, Germany.